Even though ransomware is one of the threats du-jour, it’s not something I’ve closely studied. So I decided that this weekend was as good a time as any to conduct some research and develop a better understanding of this threat.

I wish I could say I identified novel features of what I discovered were large, multi-wave ransomware campaigns between May and August. But that didn’t happen. The reality is pretty mundane: I pulled together existing research and documented—in my own words—what others have already reported.

As an analyst, I’m okay with that. I’ve found this type of research to be typical. And it brings up thoughts (and tips!) I have on intelligence consumption. But more on those soon… First, let’s look at the recent ransomware activity.

Windows Script Files Seen in Multiple Ransomware Campaigns

Starting in May, ransomware distributors began using Windows Scripting Files (.wsf) to download and execute various ransomware payloads: Locky, Cerber, and CryptMIC. The script files are commonly contained in .zip email attachments but sources have also observed phishing messages with a URL pointing to a malicious .zip file.

“Windows Scripting File is a text document containing Extensible Markup Language (XML) code. It incorporates several features that offer [the user] increased scripting flexibility. Because Windows script files are not specific to a script language, the underlying code can have either JavaScript or VBScript, depending on language declaration in the file. WSF acts as a container.” – Microsoft Malware Protection Center, Threat Research and Response Blog

Early May: actors behind the Cerber ransomware launch a phishing campaign relying on .wsf files contained in double-zipped email attachments. Forcepoint says that this was the first time it has seen Cerber delivered using .wsf files.

Mid- to late-July: criminals use the .wsf method to push the Locky and Cerber ransomware, according to both Cloudmark and Microsoft. Unlike the early May Cerber campaign, the script files are not double-zipped. TrendMicro also spots widespread Locky phishing activity using the same installation technique: a .wsf file in a .zip archive.

Early August: Invincea identifies an attempted CryptMIC infection. Delivery techniques mirror those seen in July. Additional details on this recent activity are provided below.

Recent August 2016 CryptMIC Ransomware Campaign

In early August, Invincea observed an attempted CryptMIC ransomware infection. Notable in the infection chain was the use of a Windows Script File (.wsf) to execute the malware.

The .zip and .wsf files both download to the users %TEMP% directory (Users\[User_Name]\AppData\Local\Temp\[mal_document.zip]\[mal_document.wsf]).

The Windows Script Host (wscript.exe) process executes the .wsf file.

The .wsf file a) writes a PHP script to the user’s Internet Explorer cache directory (this location will vary depending on the Windows OS version) and b) writes and executes radXXXXX.tmp to the current %TEMP% directory. The .tmp file is the ransomware identified as CryptMIC. The XXXXX characters will be a random hexadecimal value (e.g., E2610, 075AC). Lastly, the .wsf will c) create a malicious .dll and .job (i.e. scheduled task) file in the C:\Windows\System32\ directory.

See Appendix A for file and network indicators associated with this activity.

Some Thoughts on Consuming Intelligence

As I mentioned in the introduction of this post, I think this type of research is routine. I often encounter threats and TTP that I’m not familiar with, so I have to invest time into studying and absorbing the knowledge that already exists. I suspect this is the case for many analysts. I consider this process to be an important an aspect of intelligence consumption.

There are three points I want to raise about this process:

It’s impossible for analysts to understand every threat. No analyst is aware of, or can understand every threat or tactic. Analysts must be allowed the time to study threats they don’t understand and which are—or could be— relevant to the organization.

Intelligence consumption involves more than just ingesting IOC. I believe that the time that analysts spend studying threats is a part of intelligence consumption process—it’s not just about collecting IOC. It’s about consuming the knowledge that is available to develop an understanding of the threat. This often flows directly into the analysis process as analysts consider how and why the threat at hand is relevant.

Producing organization-specific intelligence should be a by-product of consumption. If analysts are taking the time to do the research, they should take the extra step to document and memorialize it for the benefit of their future selves, their intelligence customers, and their organization. The analyst should write a report (not just notes) with a title, summary, and research findings. More importantly, the analyst should include an organization-specific spin: why is the threat relevant to the organization? Are there opportunities to prevent or detect the threat? Answering these questions, even at a basic level, reinforces the practice of tying intelligence activities and reporting to requirements.

Intelligence Consumption Tips – Setting Yourself Up For Successful Production

I think that generating intelligence reports can go hand-in-hand with consuming intelligence. Generating reports also provides a consistent way of managing knowledge.

So, here are some consumption-to-production tips that have worked for me:

Don’t under-value the importance of synthesizing multiple sources and creating a narrative in your own words. Don’t feel obligated to dig for ground-breaking information. Establishing what you know starts with figuring out what others already know.

Establish a basic chronology of the threat activity you are studying. The chronology should be based on when the activity occurred, not when sources reported it. Be sure to cite your sources!

If you don’t have time to create a full timeline, that’s okay. Just focus on capturing the information you can. When you return to the project it will be easier to continue building a timeline and broader context. When I started writing this post, I focused on the CryptMIC activity first. I wanted my synthesis of the .wsf TTP to stand on it’s own as a short report. It actually wasn’t until I was further into the research that I realized I could couch the CryptMIC activity into a more expansive timeline. But the timeline section could also stand on its own. Whether you start with the technical deep-dive or the high-level synthesis, be sure that you can eventually tie the two together.

Practice taking your raw notes and massaging them into complete sentences. Then craft those sentences into paragraphs and build a narrative. We tend to jot down fragmented notes which remain like that on our desktops in CSV, TXT, and DOC files. This is a challenging way to manage your knowledge. Pull those notes and sources together and write a report!

I personally learned a lot from doing this exercise. Sure, I could have read all of the reports I reference above and left it at that, but there’s nothing like putting pen-to-paper to ingrain what you’ve learned—and to make it available for your customers.

These types of intelligence products generally aren’t glamorous. But I think they form an essential foundation of knowledge. This knowledge can drive prevention, detection, and hunting efforts.

Such is the way of open source research. Thanks for sharing this, but something that’s important to point out is that email attachments and links are not the only way that this stuff is getting in, as illustrated by Le Chiffre and Samas.